diff --git a/addons/web/doc/web_controllers.rst b/addons/web/doc/web_controllers.rst index 86ac0248e7e..71ff9fb8416 100644 --- a/addons/web/doc/web_controllers.rst +++ b/addons/web/doc/web_controllers.rst @@ -134,18 +134,25 @@ argument of every model method in OpenERP. Authorization Levels -------------------- -By default, all methods can only be used by users logged into OpenERP (OpenERP uses cookies to track logged users). -There are some cases when you need to enable not-logged in users to access some methods. To do so, add the ``'db'`` -value to the ``auth`` parameter of ``http.route()``: +By default, all access to the models will use the rights of the currently logged in user (OpenERP uses cookies to track +logged users). It is also impossible to reach an URL without being logged (the user's browser will receive an HTTP +error). + +There are some cases when the current user is not relevant, and we just want to give access to anyone to an URL. A +typical example is be the generation of a home page for a website. The home page should be visible by anyone, whether +they have an account or not. To do so, add the ``'admin'`` value to the ``auth`` parameter of ``http.route()``: :: - @http.route('/hello', type="http", auth="db") + @http.route('/hello', type="http", auth="admin") def hello(self): return "
Hello unknown user!
" -Please note the ``request.uid`` user id will be ``None`` inside this method call. This is due to the fact no user was -authenticated. +When using the ``admin`` authentication the access to the OpenERP models will be performed with the ``Administrator`` +user and ``request.uid`` will be equal to ``openerp.SUPERUSER_ID`` (the id of the administrator). + +It is important to note that when using the ``Administrator`` user all security is bypassed. So the programmers +implementing such methods should take great care of not creating security issues in the application. Overriding Controllers ---------------------- diff --git a/addons/web/http.py b/addons/web/http.py index 8b49e8f9636..2f9016cf5cc 100644 --- a/addons/web/http.py +++ b/addons/web/http.py @@ -156,11 +156,11 @@ class WebRequest(object): if self.auth_method == "none": self.db = None self.uid = None - elif self.auth_method == "db": + elif self.auth_method == "admin": self.db = self.session._db or db_monodb() if not self.db: raise SessionExpiredException("No valid database for request %s" % self.httprequest) - self.uid = None + self.uid = openerp.SUPERUSER_ID else: # auth try: self.session.check_security() @@ -235,7 +235,7 @@ def route(route, type="http", auth="user"): authentication modules. """ assert type in ["http", "json"] - assert auth in ["user", "db", "none"] + assert auth in ["user", "admin", "none"] def decorator(f): if isinstance(route, list): f.routes = route